Skip to content
Prepare and Recover from a Ransomware Attack-cristie
Pernilla Arensparr May 4, 2023 11:22:40 AM 8 min read

Best Practices: Prepare and Recover from a Ransomware Attack

While ransomware attacks are skyrocketing in number, Rubrik customers can quickly and effectively recover their data to minimize the damage to their business. This article will explain Rubrik Zero Trust Data SecurityTM and how its built-in capabilities make secured data immune to ransomware. Then, you’ll learn about deployment best practices that make it even more challenging for cybercriminals to attack. And, finally, we’ll go through the recovery process if the unfortunate event of an attack occur.


How to recover from ransomware attacks


01. Preparation


Build a plan

Develop a ransomware response and recovery plan and supporting playbook. A comprehensive plan developed before an attack occurs is critical to a successful outcome. This plan should be updated and reviewed periodically. Additionally, you should store this plan in a secure location that ransomware cannot compromise. A printed copy is suitable for this.

Prioritize Critical Data and Systems

Identify the criticality of each system to the business and any dependencies. Knowing which systems need attention first and how they interact with other business systems will allow a smooth and orderly recovery.

Know Your Recovery Strategy

Determine the best recovery methods for each workload. For example, Rubrik Instant Recovery instantiates the recovered workload from backup, running live on the Rubrik cluster storage. Because of this, the workload can be recovered much quicker than it would be in the event that recovery of a full backup to production storage would be required. This method, however, rolls entire systems back to a safe point in time. With this approach to recovery, you may lose data that was not infected or encrypted.

Test Your Plan

Periodically test data recovery to be prepared for an actual incident. Without testing the recovery plan, there can be no assurance that it will work when an attack happens. Testing also provides the experience and confidence to staff members that an attack can be successfully and quickly remediated.


02. Detection and Analysis


Determine Blast Radius

Ransomware continues to evolve at breakneck speeds. It is reasonable to suggest that no organization is entirely immune. In fact, assuming you have already been breached is an advisable position. An “assumed breach” mindset requires a “Zero Trust” or “never assume trust, always verify” approach. Even with the best prevention tools, humans are undoubtedly the weakest link, making detecting an attack crucial. Once an attack is detected, determining its blast radius is vital so that you can mitigate damage and recovery can begin.

Isolate Infected Systems

Systems that are suspected or confirmed to be infected with ransomware should be isolated. This approach will prevent the ransomware from spreading to other systems on the network.

Notify Stakeholders

All stakeholders should be notified of the ransomware attack so that they can start to execute their portions of the recovery plan. Early notification of stakeholders, Rubrik, and other vendors will allow them to respond even while the attack is still being investigated.

Assess and Neutralize

Ascertain the current status, impact, and scope of the situation. Failing to understand the current position can lead to restoring before the attack is fully neutralized. Doing so can reintroduce the ransomware and reinfect systems, causing more damage and downtime for further recovery.


03. Containment, Eradication, and Recovery


General Best Practices

These best practices apply to all recovery scenarios.

Recover safely: Only begin recovery operations after you have neutralized the ransomware. Data may need to be recovered in isolation or to new systems. Restoring systems or data before fully neutralizing the ransomware may result in repeat infection. If the ransomware cannot be isolated and neutralized promptly, the alternative is to recover to an isolated environment, where reinfection cannot occur.

Decrypt data: Recovery may not be necessary if there is a decryptor for the identified ransomware strain. when possible, decrypt existing data to prevent data loss. Decryption should occur in a safe environment. If you cannot fully neutralize the ransomware, you may require decryption in isolation.

Recover to an isolated environment: If you have not identfied the attack vector then your environment is not secure hence you need an isolated environment to recover to.  Often, ransomware attacks are so pervasive that recovering back to original locations will only result in secondary attacks. Recovering in an isolated environment where the ransomware did not have access is the best prevention for a secondary attack. During the Preparation phase, you should have identified and tested an isolated environment. During the Recovery phase, use the isolated location to recover data if needed securely.

Prioritize recovery: As planned for in the Prevention phase, recovery will occur based on the prioritization of applications and lines of business. The prioritized list of what to recover and when should come from the Detection & Analysis phase. Ensure that foundational services required for basic functionality, such as Active Directory, DNS, DHCP, NTP, and Authentication, are recovered first. without these, the other recovered systems may not function properly.

Use automation: use the tested automation that you developed during the Preparation phase. Automated recovery via automation tools and Rubrik’s APIs and SDKs will speed up recovery times. Proven and tested automation will also add to the accuracy of the recoveries.

File-only Recovery

These best practices apply to scenarios where only files and directories need recovering. Consider that malware may lay dormant for some time before executing its payload, and unless you can be 100% confident that this is not the case, a clean OS followed by a file-level recovery is the only safe option.

Virtual Machine and Database Recovery

These best practices apply when you cannot use the VM itself. This may happen if the NAS that the VM is running on is compromised. It may also occur if the ransomware renders the VM unbootable. Consider the steps you would take for file-level recovery: can you trust that the guest Operating System does not have a dormant infection? Malware typically lies dormant for some time before the payload is deployed (in the case of ransomware, encryption, or theft of data). If you cannot be confident, deploy a clean operating system and recover at a file or application level.

Active Directory Recovery

Microsoft’s Active Directory is a widely used, distributed directory service that forms the fundamental platform underlying many enterprise environments. As well as authentication services, it usually provides DNS and NTP and may also provide the underlying Public Key Infrastructure (PKI) and DHCP in many environments. It is also one of the infrastructure components most commonly hit by ransomware. Due to these factors, it is typically one of the first pieces of infrastructure that needs to be recovered.


04. Key Rubrik Security Technologies


Native Immutability

Rubrik engineered a purpose-built, natively immutable file system to protect its customers’ data. While there are many advantages to how this file system operates, having data immutability built-in reduces complexity, operational overhead, and security risks. Once written, you cannot change data in any way. Since Rubrik stores data in a non-native format, data cannot be easily read or exfiltrated. This approach is in contrast to other solutions where data is readily accessible in its native format, making it easy for attackers to modify or steal the backup data.

SLA Retention Lock

SLA Retention Lock is an additional layer of the Rubrik Zero Trust architecture that provides data resilience. Once enabled, Retention Lock strictly prohibits any modification to an SLA domain policy resulting in deleted backup data. This includes outright deletion or data expiration and data redirection via Rubrik’s archival and replication policies.

Two Person Rule

Rubrik offers a capability that requires two people’s input to make certain changes. The two person rule enables an added level of security against rogue administrators or compromised credentials by adding an additional layer of approvals for some critical changes. When enabled the following can be configured to require two people to be involved in the change.

Intelligent Data Lock

Intelligent Data Lock gives users an additional window of time that snapshots are kept after expiration or deletion. This allows for recovery of these snapshots even after they have been expired or deleted. This capability is available and on by default with CDM versions 8.0.3 and newer.

Legal Hold

Legal Hold provides a method to prevent a snapshot from expiring and aging off the backup solution. While typically used to maintain evidence for legal requirements, it may also be helpful to apply Legal Hold to snapshots taken before or when you detected the infection for legal reasons and forensic investigation.

Multi-Factor Authentication

Compromised directory service platforms and individual accounts are hallmarks of a ransomware attack. Privileged accounts and directory services are high-value targets, and attackers will focus on compromising either one to gain further control of an environment. To defend against these vulnerabilities, Rubrik enables MFA, by default, that can be used natively with Rubrik’s Time-based One Time Passwords (TOTP). when configured, access through all system interfaces (GuI, CLI, and API) requires the end-user to perform a secondary authentication process before granting access. 


05. The Importance of Partnering for Ransomware Recovery: Accessing Expertise and Additional Resources

In addition to the above steps and Rubrik's security technologies, we also recommend working closely with a partner to prepare for and recover from a ransomware attack. This can provide additional resources and expertise to ensure a successful outcome. A partner can also help assess the security posture of your organization and provide guidance on how to strengthen it further.

When choosing a partner, consider their experience with Rubrik and their expertise in cybersecurity and data recovery. Look for a partner who can offer a comprehensive range of services, including assessment, planning, implementation, and ongoing support.

Working with a partner can also provide access to additional tools and resources that can help with ransomware recovery, such as threat intelligence, incident response planning, and training for employees on how to recognize and report suspicious activity.

Overall, partnering with a trusted advisor can provide peace of mind and ensure that your organization is well-prepared to respond to a ransomware attack.



New call-to-action